Generate user certificate for K8s authentication

README.md

Using Kubernetes approval workflow

Generate private key

openssl genrsa -out DevDan.key 2048

Generate csr

openssl req -new -key DevDan.key -out DevDan.csr -subj "/CN=DevDan/O=development"

Prepare YAML template

cat << 'EOF' > DevDan.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: csr-devdan
spec:
  signerName: kubernetes.io/kube-apiserver-client
  usages:
    - digital signature
    - key encipherment
    - client auth
  groups:
    - cluster-admin
EOF

Add csr to template

CSR="$(cat DevDan.csr | base64)" yq eval '.spec.request = strenv(CSR)' -i DevDan.yaml

Send request

kubectl apply -f DevDan.yaml

Approve request

kubectl certificate approve csr-devdan

Retrieve signed certificate

kubectl get csr csr-devdan -o jsonpath='{.status.certificate}' | base64 -d > DevDan.crt

Create & set config

kubectl config set-credentials DevDan --client-certificate=DevDan.crt --client-key=DevDan.key --embed-certs=true
kubectl config set-context DevDan-dev --cluster=kubernetes --user=DevDan --namespace=development
kubectl config set-context DevDan-prod --cluster=kubernetes --user=DevDan --namespace=production

Using plain CA

Only works if you have access to Kubernetes PKI CA private and public keys

Generate private key

openssl genrsa -out DevDan.key 2048

Generate csr

openssl req -new -key DevDan.key -out DevDan.csr -subj "/CN=DevDan/O=development"

Sign csr

sudo openssl x509 -req -in DevDan.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out DevDan.crt -days 45

Create & set config

kubectl config set-credentials DevDan --client-certificate=DevDan.crt --client-key=DevDan.key --embed-certs=true
kubectl config set-context DevDan-dev --cluster=kubernetes --user=DevDan --namespace=development
kubectl config set-context DevDan-prod --cluster=kubernetes --user=DevDan --namespace=production

RBAC development

Scoped to namespace development

Create developer role

kubectl create role developer --verb=create,delete,get,list,patch,update,watch --resource=deployments.apps,replicasets,pods -n development

Bind developer role to user

kubectl create rolebinding developer --role=developer --user=DevDan -n development

RBAC production

Scoped to namespace production

Create production role

kubectl create role production --verb=get,list,watch --resource=deployments.apps,replicasets,pods -n production

Bind production role to user

kubectl create rolebinding production --role=production --user=DevDan -n production

https://kubernetes.io/docs/concepts/security/rbac-good-practices/#csrs-and-certificate-issuing